nanog mailing list archives

Re: beware: being old sucks

From: Jeroen Wunnink via NANOG <nanog () lists nanog org>
Date: Tue, 2 Sep 2025 08:26:11 +0000

Few other tips:

  *   check if there’s interfaces/tunnels setup that shouldn’t be there (sh int desc | inc Tu)
  *   check for locally configured users that should not be there
  *   check if nat is enabled while it should not be
  *   Is anyone currently logged on that you don’t expect to
  *   see if there’s unexpected tcl scripts in the flash and/or boot media.
  *   Check if the http/https server is configured while it shouldn’t
  *   Disable finger protocol (sometimes enabled by default)
  *   Apply the Cisco-recommended defensive mitigations for CVE-2017-6736 through CVE-2017-6742 for securing any 
exposed SNMP community strings against a constrained MIB view (configs may be snatched this way)
  *   Apply mitigations for known exploits in the vStack smart install, this is a common entry vector and it’s 
sometimes enabled by default while not showing in config, leaving devices wide open (show vstack config / no vstack)
  *   I recommend doing a full nmap scan from a public non-trusted IP to see which ports may be open to the world that 
should, or you do not expect to be open. Adjust your ACL’s based on this.
  *   Check your tacacs/radius config, make sure it’s not replaced/amended with something else that just functions to 
intercept your passwords
  *   Verify that your ‘line’ configs don’t refer to non-default AAA configs. If the line configuration references a 
named AAA profile, the previously entered AAA directives will be ineffective






Jeroen Wunnink
Sr. Manager - Integration Engineering

[A picture containing icon  Description automatically generated]

www.gtt.net<http://www.gtt.net/>


From: Randy Bush via NANOG <nanog () lists nanog org>
Date: Saturday, 30 August 2025 at 20:30
To: North American Network Operators' Group <nanog () lists nanog org>
Cc: Randy Bush <randy () psg com>
Subject: Re: beware: being old sucks
NOTE: This is an external message. Please use caution when replying, opening attachments or clicking on any links in 
this e-mail.
WARNING: Replies to this message will go to nanog-bounces () lists nanog org. If you believe this is malicious or are 
unsure if this is correct, please report it using the Report Phish button and our analysts will investigate it.

a fellow nanogger wrote:

I've only *just* gotten to the note from a week or more ago.

    + tftp-server nvram:startup-config          <<<<<<======
      snmp-server community foo 98
      snmp-server trap-source Vlan1
      snmp-server location Ashburn VA US


I, too, got this from a RANCID setup I built a long time ago.

and here is the talos report, thanks joe

   https://blog.talosintelligence.com/static-tundra/

set `no vstack` in config.  no, that is not the default.


I'd told the owner that I didn't think he had control of his gear
anymore, but this helped me to convince him to put a new switch in.


moving this to nanog because i did not elaborate on a critical point.

when you get this, presume the config of this trivial ancient devic has
been snatched.  did the device have any burned in users, a la

     username foo privilege 15 password 7 bar

and that uid/pass is used on other, presumably more modern, devices,
you need to change the passwords everywhere.

same for other credentials, snmp, bgpmd5, ...

randy
_______________________________________________
NANOG mailing list
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/HJ64BOPTJ75K3EX5AEHR4E4LW5OZEEQG/

NOTICE: This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential 
information. Unless stated to the contrary, any opinions or comments are personal to the writer and do not represent 
the official view of GTT Communications Inc or any of its affiliates. If you have received this e-mail in error, please 
notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it 
for any purposes, or disclose its contents to any other person.
All quotes, offers, proposals and any other information in the body of this email is subject to, and limited by, the 
terms and conditions, signed service agreement and/or statement of work
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/VWS6YH5CVPEYEX7Y4RRDGKCFOHU32LKR/

Current thread:

Re: beware: being old sucks Randy Bush via NANOG (Sep 01)
- RE: beware: being old sucks Gary Sparkes via NANOG (Sep 01)
- <Possible follow-ups>
- Re: beware: being old sucks Jeroen Wunnink via NANOG (Sep 02)